urelas | 8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631b

General

Target

8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631bN.exe
Size

332KB
MD5

3b9ade18c8b4df86c5bd3f3a5d887aa0
SHA1

c99b80556dfaa059a3f02761a30dea113b6780c5
SHA256

8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631b
SHA512

cdc1b59205b89e43798b5854133d93eeae01ed10e1cb83e221a06f7f6d0b0a88fbeea9966f6096d01b3c986996c5c63aabdfa1f79e3f34c802e6de03c223cc87
SSDEEP

6144:nvHWrZ+i8/iYiVst4UKVRw8pDrKlGSeNWcx1RsF9gc+XYt:vHW138/iXWlK885rKlGSekcj66ciQ

Score

10^/10

urelas discovery trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

218.54.31.166

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas
Urelas family
urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631bN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	roert.exe

Executes dropped EXE 2 IoCs

pid	Process
4916	roert.exe
1544	pagyr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pagyr.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe
1544	pagyr.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 4916	4052	8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631bN.exe	88
PID 4052 wrote to memory of 4916	4052	8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631bN.exe	88
PID 4052 wrote to memory of 4916	4052	8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631bN.exe	88
PID 4052 wrote to memory of 4172	4052	8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631bN.exe	89
PID 4052 wrote to memory of 4172	4052	8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631bN.exe	89
PID 4052 wrote to memory of 4172	4052	8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631bN.exe	89
PID 4916 wrote to memory of 1544	4916	roert.exe	102
PID 4916 wrote to memory of 1544	4916	roert.exe	102
PID 4916 wrote to memory of 1544	4916	roert.exe	102

C:\Users\Admin\AppData\Local\Temp\8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631bN.exe
"C:\Users\Admin\AppData\Local\Temp\8bfbff72339d971acacbcc637d4005bc29db61840d5970b67cbbecc14cb8631bN.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\roert.exe
  "C:\Users\Admin\AppData\Local\Temp\roert.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4916
- - C:\Users\Admin\AppData\Local\Temp\pagyr.exe
    "C:\Users\Admin\AppData\Local\Temp\pagyr.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
342B

MD5
19503d54ef3534d28ee485a72aba1d3b

SHA1
c8f72ee5adeb4f53d50c1b5c0ebf42ac6198c895

SHA256
7a731290d3e3012fbce6dd7aff5a964e96d967a714f40968140b9b40fd29b484

SHA512
05aca2c0c632b640341fbf9abb0f80634d3ddf9184538862c8ed0d5e228b78d83a3e235a73fd8238d02bb2f26f5cde380deaadca41126e85d03cffe8a56792ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
819622bf02de971b9732b9ea30843c21

SHA1
9d909aa90080c30aa5766b81af8425ac5c8807d9

SHA256
02621d77312bf3a3f3da4b03aaf1a639867be07d5cc11517fed0f5ff22c04eda

SHA512
96feadac6d2412740dffca2e142f0b930668d451eb0bb1e823feac1d7edf55bcb0d067efd8faf109d4229cc605cfffb557b4ed43647379ac4b1407b5c06f8a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pagyr.exe

Filesize
172KB

MD5
0f556f55c544b6f4ce26fd7eaef057ac

SHA1
11491d56413204ee444f0186e9fe39dd3a5d7db4

SHA256
dd77f713f33273bf2534dc31b7c459254338a29f6e1e4e05900851ed1fe2f7aa

SHA512
eb060662ee8c96823ba0b0b2f55987445fbe5ca03f85f44c13487037f153552e1f987bc9b5683ca77ca8f0b0d07258ccf6a666ee7830d803f6504db2402e0ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\roert.exe

Filesize
332KB

MD5
b6759d4c7724fa9a34244a1428e7b9ad

SHA1
83e34e8ca892a0b20af945632f12e3de875a1b48

SHA256
a8206af31979c7d07ed98c423bb5274422015356240e4a5982bcda9df4e1a973

SHA512
9cb6c36505f4c6cbb0d2cea306346d81381746ecc3e61cdf7b56eaf73e1f582fefefa219d504c176e79eb9c15190cf0f7aac48fba9de331735697a6986e27feb

Download Submit
memory/1544-46-0x0000000000A30000-0x0000000000AC9000-memory.dmp

Filesize
612KB

Download
memory/1544-45-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/1544-40-0x0000000000A30000-0x0000000000AC9000-memory.dmp

Filesize
612KB

Download
memory/1544-37-0x0000000000660000-0x0000000000662000-memory.dmp

Filesize
8KB

Download
memory/1544-36-0x0000000000A30000-0x0000000000AC9000-memory.dmp

Filesize
612KB

Download
memory/1544-44-0x0000000000A30000-0x0000000000AC9000-memory.dmp

Filesize
612KB

Download
memory/4052-16-0x0000000000690000-0x0000000000711000-memory.dmp

Filesize
516KB

Download
memory/4052-1-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4052-0-0x0000000000690000-0x0000000000711000-memory.dmp

Filesize
516KB

Download
memory/4916-19-0x00000000006D0000-0x0000000000751000-memory.dmp

Filesize
516KB

Download
memory/4916-39-0x00000000006D0000-0x0000000000751000-memory.dmp

Filesize
516KB

Download
memory/4916-13-0x00000000006D0000-0x0000000000751000-memory.dmp

Filesize
516KB

Download
memory/4916-14-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing